Latest Information Security news from ireland and around the world

It is not OK to break the law to catch criminals, judge rules

It was a single warrant, issued in the Eastern District of the US state of Virginia, but the FBI used it to justify the worldwide hacking of computers to identify tens of thousands of people who wandered into its honeypot: a dark web site called Playpen that was dedicated to child sex abuse.

In a closely watched, potentially pivotal case, a judge has said that the warrant was unconstitutional. He’s recommending that reams of evidence collected under the warrant be considered inadmissible in hundreds of criminal cases against Tor users suspected of trafficking in child abuse imagery on Playpen.

The Bureau infamously ran Playpen for 13 days, from February 20 to March 4 2014, serving up illegal child abuse imagery with the blessings of a US court and the resources of the US government.

According to court documents in a related case, the FBI used a so-called network investigative technique (NIT) – what’s also known as police malware – to force a total of more than 8,000 computers that visited Playpen to cough up their IP addresses, MAC addresses; open ports; lists of running programs; operating system types, versions and serial numbers; preferred browsers and versions; registered owners and registered company names; current logged-in user names; and their last-visited URL.

It was a massive haul of evidence, and it led to the arrests of nearly 900 people worldwide.

As is becoming ever more clear as cases wind their way through the courts, it was a fishing expedition, with the FBI using the warrant to find suspects to identify. That’s not how warrants are supposed to work. Rather, they’re supposed to be issued with a specific scope, with a specific target, and whatever government agency requested the warrant is supposed to investigate based on what the warrant turns up.

Now, the pigeons are coming home to roost. Or, rather, it’s possible that the chickens may be able to fly the coop.

As the Star Tribune reports, the most recent Playpen case concerns that of Terry Lee Carlson, a 47-year-old from Minnesota, who was arrested following the FBI’s so-called Operation Pacifier.

A federal magistrate judge in Minneapolis, Minnesota, has recommended that evidence seized in Carlson’s home – including 20 storage drives – be suppressed. There’s no way that the Eastern Virginia magistrate judge who issued the NIT warrant had jurisdiction to have it span the entire planet, US Magistrate Judge Franklin Noel wrote in a decision filed at the end of March.

Noel quoted District Judge Robert J Bryan, who in an earlier, related case noted that the FBI didn’t just hack into 120 countries and territories outside the US – it also hacked into a “satellite provider”, meaning that “now we are into outer space as well”.

From Noel’s decision:

Stated differently, the Government claims legal authority from this single warrant, issued in the Eastern District of Virginia, to hack thousands of computers in 120 countries and to install malicious software for the purpose of investigating and searching the private property of uncounted individuals whose identities and crimes were unknown to the Government before launching this massive worldwide search.

Even if the government could legally explain the use of the warrant, the evidence would still be inadmissible, given that the data collected by the NIT wasn’t covered under the warrant in the first place, he wrote:

This Court is aware of no lawful way for the Government to deploy this investigative technique. Assuming without deciding that some way could be devised to use the technology employed here, the Court concludes that the Government, by using the NIT malware to collect data from Carlson’s activating computer conducted an unlawful search that was not supported by a lawful warrant.

Noel had little good to say about the FBI’s use of malware and its decision to keep Playpen up and running for two weeks after it had arrested the site’s creator:

The purpose and flagrancy of the FBI’s misconduct in attempting to obtain the NIT warrant and deploying the NIT malware is truly staggering.

In order to identify Playpen users, the FBI operated a copied version of a dark web, child pornography website for two weeks. During that period, countless images and video content depicting child pornography were globally downloaded and distributed via the Playpen.

In essence, the FBI facilitated the victimization of minor children and furthered the commission of a more serious crime – the distribution of child pornography to primarily identify offenders committing less serious crimes: viewing and receipt of child pornography.

As the Star Tribune tells it, the opinion is the first by a Minnesota jurist among more than 50 challenges to cases tied to Operation Pacifier. The district’s chief judge, John Tunheim, will decide in coming weeks whether to adopt Noel’s ruling.

Maybe it’s the first time in Minnesota, but it isn’t the first time a judge has tossed evidence spawned by Operation Pacifier: in May 2016, a US federal judge excluded all evidence in a child abuse case that was acquired by the FBI through the NIT exploit.

From the get-go, this case has raised conflicting impulses: on one hand, we want to give the FBI a pat on the back for a job well done when it comes to catching people involved in child abuse. On the other hand, Judge Noel is right: it wasn’t a job well done. By far exceeding the terms of the search warrant, the investigators themselves trampled on the Fourth Amendment.

We have appropriate and time-tested Fourth Amendment limits… Unfortunately in this case, the FBI did not do that – they just threw caution to the wind and got the broadest authority that they could conceive of. It’s going to have consequences down the line.

Those consequences, specifically, are that child abusers could well go unpunished. What a tragic waste of time, technology and investigative talent.